Twitter has discovered that a number of torrent sites have been used to steal user names and passwords.
The company says it's the first time it has seen attacks from this source.
Twitter was alerted when it noticed that a couple of accounts had experienced a sudden surge in the number of followers.
The phishing scam exploits the fact that many people use the same user name and password for multiple sites. The perpretrator set up torrent sites requiring a login, and then created forums for torrent site usage, which it sold to third parties.
"However, these sites came with a little extra — security exploits and backdoors throughout the system," says Del Harvey, the company's director for trust and safety.
"This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up."
Twitter can't of course, identify all the torrent sites that have been affected.
"As a general rule, if you’ve signed up for a torrent forum or torrent site built by a third party, you should probably change your password there," says Harvey.
There's information on keeping a Twitter account secure here.